Systems and Methods for Applying Data-Loss-Prevention Policies

1. A computer-implemented method for applying data-loss-prevention policies, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising: maintaining a list of applications whose access to sensitive data is controlled by data-loss-prevention (DLP) policies; monitoring loading of an application within the list of applications by one or more processes; detecting an attempt by a process to access sensitive data; determining that the process has loaded the application; applying, based at least in part on the determination that the process has loaded the application, a DLP policy associated with the application to the process in order to prevent loss of sensitive data.

2. The computer-implemented method of claim 1 , wherein: the process comprises a host process that is capable of simultaneously hosting multiple applications; the application comprises a hosted application that is hosted by the process.

3. The computer-implemented method of claim 1 , wherein: the process comprises a host process that is capable of simultaneously executing multiple applications; the application comprises a hosted application that is executed by the process when the hosted application is loaded by the process.

4. The computer-implemented method of claim 1 , further comprising: monitoring loading of an additional application within the list of applications by the one or more processes; determining that the process has loaded the additional application; determining, in response to determining that the process has loaded the application and the additional application, whether the application or the additional application originated the attempt to access sensitive data; applying the DLP policy associated with the application to the process if the application originated the attempt to access sensitive data; applying a DLP policy associated with the additional application to the process if the additional application originated the attempt to access sensitive data.

5. The computer-implemented method of claim 1 , further comprising: monitoring unloading of the application by the one or more processes; upon detecting the attempt by the process to access sensitive data, determining that the process has unloaded the application; avoiding, based at least in part on the determination that the process has unloaded the application, application of the DLP policy associated with the application to the process.

6. The computer-implemented method of claim 1 , wherein: monitoring loading of the application by the one or more processes comprises maintaining a list of processes that have loaded the application; determining that the process has loaded the application comprises identifying the process within the list of processes that have loaded the application.

7. The computer-implemented method of claim 1 , wherein determining that the process has loaded the application comprises: examining, in response to detecting the attempt by the process to access sensitive data, a call stack of the process; determining, based at least in part on the examination of the call stack of the process, that the attempt to access sensitive data originated from the application.

8. The computer-implemented method of claim 7 , wherein the examination of the call stack of the process is performed in response to a determination that the process has loaded more than one application.

9. The computer-implemented method of claim 1 , wherein detecting the attempt by the process to access sensitive data comprises monitoring, in response to the determination that the process has loaded the application, the process for attempts to access sensitive data.

10. A system for applying data-loss-prevention policies, the system comprising: a maintenance module programmed to maintain a list of applications whose access to sensitive data is controlled by data-loss-prevention (DLP) policies; a detection module programmed to detect an attempt by a process to access sensitive data; a relationship-determining module programmed to: monitor loading of an application within the list of applications by one or more processes; determine that the process has loaded the application; an enforcing module programmed to apply, based at least in part on the determination that the process has loaded the application, a DLP policy associated with the application to the process in order to prevent loss of sensitive data; at least one processor configured to execute the maintenance module, the detection module, the relationship-determining module, and the enforcing module.

11. The system of claim 10 , wherein: the process comprises a host process that is capable of simultaneously hosting multiple applications; the application comprises a hosted application that is hosted by the process.

12. The system of claim 10 , wherein: the process comprises a host process that is capable of simultaneously executing multiple applications; the application comprises a hosted application that is executed by the process when the hosted application is loaded by the process.

13. The system of claim 10 , wherein: the relationship-determining module is further programmed to: monitor loading of an additional application within the list of applications by the one or more processes; determine that the process has loaded the additional application; determine, in response to determining that the process has loaded the application and the additional application, whether the application or the additional application originated the attempt to access sensitive data; the enforcing module is programmed to: apply the DLP policy associated with the application to the process if the application originated the attempt to access sensitive data; apply a DLP policy associated with the additional application to the process if the additional application originated the attempt to access sensitive data.

14. The system of claim 10 , wherein: the relationship-determining module is further programmed to: monitor unloading of the application by the one or more processes; determine that the process has unloaded the application; the enforcing module is further programmed to avoid application of the DLP policy associated with the application to the process if the process has unloaded the application.

15. The system of claim 10 , wherein the relationship-determining module is programmed to: monitor loading of the application by the one or more processes by maintaining a list of processes that have loaded the application; determine that the process has loaded the application by identifying the process within the list of processes that have loaded the application.

16. The system of claim 10 , wherein the relationship-determining module is programmed to determine that the process has loaded the application by: examining, in response to detecting the attempt by the process to access sensitive data, a call stack of the process; determining, based at least in part on the examination of the call stack of the process, that the attempt to access sensitive data originated from the application.

17. The system of claim 16 , wherein the relationship-determining module is programmed to perform the examination of the call stack of the process in response to a determination that the process has loaded more than one application.

18. The system of claim 10 , wherein the detection module is programmed to detect the attempt by the process to access sensitive data by monitoring, in response to the determination that the process has loaded the application, the process for attempts to access sensitive data.

19. A non-transitory computer-readable-storage medium comprising one or more computer-executable instructions that, when executed by at least one processor of a computing device, cause the computing device to: maintain a list of applications whose access to sensitive data is controlled by data-loss-prevention (DLP) policies; monitor loading of an application within the list of applications by one or more processes; detect an attempt by a process to access sensitive data; determine that the process has loaded the application; apply, based at least in part on the determination that the process has loaded the application, a DLP policy associated with the application to the process in order to prevent loss of sensitive data.

20. The computer-readable-storage medium of claim 19 , wherein: the process comprises a host process that is capable of simultaneously hosting multiple applications; the application comprises a hosted application that is hosted by the process.